0% found this document useful (0 votes)

1K views21 pages

Security Onion - Network Security Monitoring in Minutes

This document discusses Network Security Monitoring (NSM) using Security Onion. Security Onion allows setting up NSM in just 2 minutes using a setup wizard. It collects and correlates multiple data types including alerts, sessions, transactions, and full packet captures. The Sguil analysis interface integrates these data types and allows pivoting between them. Security Onion provides tools for packet analysis, hunting for malware, and monitoring hosts with OSSEC. The document encourages contributions to the open source Security Onion project.

Uploaded by

clu5t3r

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

1K views21 pages

Security Onion - Network Security Monitoring in Minutes

Uploaded by

clu5t3r

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 21

Security

Onion
Network Security Monitoring in Minutes

Doug Burks

Feel the pain

Does your tradi;onal IDS give you all the data you need?

The Beauty of Network Security Monitoring

Mul;ple data types (not just IDS alerts)

Sguil is the de facto reference implementa;on of NSM:

l
l
l
l

Alert data (NIDS alerts from Snort/Suricata and HIDS alerts from OSSEC)
Session data (SANCP)
Transac;on data (HTTP logs from Bro)
Full content data (daemonlogger)

Lots of pieces in the jigsaw puzzle

hNp://nsmwiki.org/images/e/ea/Sguil-0.7.dfd.png

Setup wizard puts the jigsaw puzzle

together for you!
Takes only 2 minutes!

Snorby
Web interface
Web 2.0
AJAX
Ruby on Rails
Buzzword compliant!

Squert web interface

The Ul;mate Analyst Worksta;on

l Security Onion in a VM on your Desktop
l Sguil client connects to Sguil server
l Pull pcaps back to your VM for extended analysis

Sguil client designed

by analysts for analysts

Right-click Src/Dst IP and Query SANCP

table (Session Data)

Right-click Src/Dst IP and query Event table

to access HTTP logs (Transac;on Data)

Right-click Alert ID to pivot to Full Content

(transcript in Sguil or pcap in Wireshark)

PCAP Tools
We haz them

NetworkMiner
Theres gold in them
thar PCAPs!

Mul;ple Sguil sensors

hNp://securityonion.blogspot.com/2011/04/security-onion-20110321-distributed.html

Bro IDS
Bro records a tremendous
amount of ac;onable
intelligence about your
network trac. The logs can
be found in:
/nsm/bro/logs

Hunt for Evil User Agents

zcat /nsm/bro/logs/*/hNp* |bro-cut -d user_agent |sort |uniq -c |sort -nr

Look for malicious user agents like:

Bobs Evil Clown C&C Agent

or just outdated and vulnerable sohware like:
zcat /nsm/bro/logs/*/soh* |bro-cut -d name version.major |grep
Firefox |grep -v 12 |sort |uniq -c |sort nr
110 Firefox 3
71 Firefox 11
53 Firefox 10
hNp://pauldotcom.com/2011/10/in-search-of-evil-user-agents.html

Argus

NIDS is great, but what about HIDS?

OSSEC monitors local logs and can receive logs from OSSEC Agents and
standard Syslog

OSSEC alerts are stored in /var/ossec/logs/alerts/

Sguil OSSEC Agent transmits those alerts to the Sguil server

One-man bands make crappy music

Interested in joining an open source project?
Security Onion needs:
l

Documenta;on

Artwork

Web interface

Performance benchmarks

Package maintainers

hNp://code.google.com/p/security-onion/wiki/TeamMembers

Where do we go now?
hNp://securityonion.blogspot.com

Updates are announced here and it also has the following links:

l

Download/Install

FAQ

Mailing List

IRC #securityonion on irc.freenode.net

TIA EIA 568 B.2 1final
No ratings yet
TIA EIA 568 B.2 1final
86 pages
Core Impact 7.5
100% (1)
Core Impact 7.5
214 pages
Tourism MS
No ratings yet
Tourism MS
22 pages
To Operating: Systems
No ratings yet
To Operating: Systems
564 pages
CTF Field Guide
No ratings yet
CTF Field Guide
49 pages
Cyber Security Lab
No ratings yet
Cyber Security Lab
27 pages
Colorful Cybersecurity Presentation
No ratings yet
Colorful Cybersecurity Presentation
13 pages
Siem
100% (1)
Siem
55 pages
(@CyberBankSa) - eCXD Labs
No ratings yet
(@CyberBankSa) - eCXD Labs
286 pages
The Importance and Applications of Data Compression
No ratings yet
The Importance and Applications of Data Compression
4 pages
Security Onion: Network Security Monitoring in Minutes Doug Burks
No ratings yet
Security Onion: Network Security Monitoring in Minutes Doug Burks
21 pages
Data Mining Unit-IV
No ratings yet
Data Mining Unit-IV
37 pages
Suricata, Pfsense and WAZUH
No ratings yet
Suricata, Pfsense and WAZUH
9 pages
What Is A Software Process?
No ratings yet
What Is A Software Process?
30 pages
Prinect Product Portfolio
No ratings yet
Prinect Product Portfolio
143 pages
1.1network Attack and Defense Strategies
No ratings yet
1.1network Attack and Defense Strategies
18 pages
Wazuh Linkedin
No ratings yet
Wazuh Linkedin
30 pages
CCST EH WAP Course Modules
No ratings yet
CCST EH WAP Course Modules
9 pages
Isomeron: Code Randomization Resilient To (Just-In-Time) Return-Oriented Programming
No ratings yet
Isomeron: Code Randomization Resilient To (Just-In-Time) Return-Oriented Programming
15 pages
CCNA 2 - 3th Ed Web Chapter 11
No ratings yet
CCNA 2 - 3th Ed Web Chapter 11
38 pages
Open SSL
No ratings yet
Open SSL
19 pages
Porting OSE Systems To Linux
No ratings yet
Porting OSE Systems To Linux
39 pages
Fortianalyzer V5.0 Patch Release 6: Administration Guide
No ratings yet
Fortianalyzer V5.0 Patch Release 6: Administration Guide
218 pages
Introduction To UX Design
No ratings yet
Introduction To UX Design
8 pages
Antivirus (In) Security: Chaos Communication Camp 2007
No ratings yet
Antivirus (In) Security: Chaos Communication Camp 2007
39 pages
DefCon 22 - Mass Scanning The Internet
No ratings yet
DefCon 22 - Mass Scanning The Internet
13 pages
CCNASecurity Ch5
No ratings yet
CCNASecurity Ch5
77 pages
A Formal Security Analysis of The Signal Messaging Protocol
No ratings yet
A Formal Security Analysis of The Signal Messaging Protocol
30 pages
2014 Security Trends Attacks Advance, Hiring Gets Harder, Skills Need Sharpening John Pescatore
No ratings yet
2014 Security Trends Attacks Advance, Hiring Gets Harder, Skills Need Sharpening John Pescatore
23 pages
Mini Mk8 MM Manual 24.07.2020
No ratings yet
Mini Mk8 MM Manual 24.07.2020
194 pages
Cisco - Qa - Wpa, Wpa2, Ieee 802.11i
No ratings yet
Cisco - Qa - Wpa, Wpa2, Ieee 802.11i
9 pages
An Inductive Chosen Plaintext Attack Against WEP-WEP2
No ratings yet
An Inductive Chosen Plaintext Attack Against WEP-WEP2
18 pages
Forensic Toolkit: Sales and Promotional Summary
No ratings yet
Forensic Toolkit: Sales and Promotional Summary
8 pages
CCNA 2 - 3th Ed Web Chapter 10
No ratings yet
CCNA 2 - 3th Ed Web Chapter 10
28 pages
Cisco - Specification - XR1200 Series Router
No ratings yet
Cisco - Specification - XR1200 Series Router
9 pages
Book Box Collection Box: Core Impact 7.5 Crack
No ratings yet
Book Box Collection Box: Core Impact 7.5 Crack
4 pages
Anisha ETL DataEngineer
No ratings yet
Anisha ETL DataEngineer
7 pages
Red Team Operations
No ratings yet
Red Team Operations
15 pages
Presentation 3 PDF
No ratings yet
Presentation 3 PDF
8 pages
Consider The Following: X (Base 3) X (Base 2) X X (Base 5) Multiplication Same Base
No ratings yet
Consider The Following: X (Base 3) X (Base 2) X X (Base 5) Multiplication Same Base
8 pages
CCNA 2 - 3th Ed Web Chapter 02
No ratings yet
CCNA 2 - 3th Ed Web Chapter 02
31 pages
SMTS File - 1 RS20200105 2020 05 19 14 - 26 - 04
No ratings yet
SMTS File - 1 RS20200105 2020 05 19 14 - 26 - 04
2 pages
Week 4 Secure Information System
No ratings yet
Week 4 Secure Information System
19 pages
Lab 8 Packet Tracer Version
No ratings yet
Lab 8 Packet Tracer Version
6 pages
Iot-Based Intelligent Waste Management System
No ratings yet
Iot-Based Intelligent Waste Management System
29 pages
Network Attacks - A Deeper Look
No ratings yet
Network Attacks - A Deeper Look
35 pages
GSM SIM800C Manual
No ratings yet
GSM SIM800C Manual
19 pages
EpicWeb Customer Portal User Guide
No ratings yet
EpicWeb Customer Portal User Guide
11 pages
The Six Elements To Block-Building Approaches For The Single Container Loading Problem
No ratings yet
The Six Elements To Block-Building Approaches For The Single Container Loading Problem
15 pages
IPDevice Integration Patch 20200622
No ratings yet
IPDevice Integration Patch 20200622
6 pages
7 Steps To Your SOC Analyst Career
No ratings yet
7 Steps To Your SOC Analyst Career
51 pages
17 Soar
No ratings yet
17 Soar
70 pages
PS.2024.C3.Corte1.Pruebas de Integracion.223204.GallegosBorraz
No ratings yet
PS.2024.C3.Corte1.Pruebas de Integracion.223204.GallegosBorraz
6 pages
Week 11 APP Tutorial Assignment
No ratings yet
Week 11 APP Tutorial Assignment
4 pages
HP Software and Driver Downloads For HP Printers, Laptops, Desktops and More - HP® Customer Support
No ratings yet
HP Software and Driver Downloads For HP Printers, Laptops, Desktops and More - HP® Customer Support
1 page
SANS Google SecOps The SIEMs Third Act
No ratings yet
SANS Google SecOps The SIEMs Third Act
15 pages
Exam Guide - 406 - Kinetic Tools Management
No ratings yet
Exam Guide - 406 - Kinetic Tools Management
8 pages
Mobile C-Arms
No ratings yet
Mobile C-Arms
1 page
Heer Selarka
No ratings yet
Heer Selarka
2 pages
Smart Moderator Project Report
No ratings yet
Smart Moderator Project Report
113 pages
Web Application Firewalls: When Are They Useful?: The Owasp Foundation
No ratings yet
Web Application Firewalls: When Are They Useful?: The Owasp Foundation
44 pages
AX7203 User Manual
No ratings yet
AX7203 User Manual
57 pages
Master CyberOps Session 10
No ratings yet
Master CyberOps Session 10
76 pages
Windows Security Event Logs Cheatsheet
No ratings yet
Windows Security Event Logs Cheatsheet
8 pages
SE CH04 Software Requirement Analysis
No ratings yet
SE CH04 Software Requirement Analysis
77 pages
Anurag Resume
No ratings yet
Anurag Resume
3 pages
How To Restore Deleted Files From The Recycle Bin
No ratings yet
How To Restore Deleted Files From The Recycle Bin
1 page
Malware Analysis
No ratings yet
Malware Analysis
5 pages
Analyst Tool in Security Onion
No ratings yet
Analyst Tool in Security Onion
3 pages
CA Module 26
No ratings yet
CA Module 26
27 pages
Penetration Test Report Mr. Robot
No ratings yet
Penetration Test Report Mr. Robot
12 pages
Cisco - Labs 1.6.1 - Packet Tracer Skills Integration Challenge
No ratings yet
Cisco - Labs 1.6.1 - Packet Tracer Skills Integration Challenge
3 pages
12.4.1.1 Lab - Interpret HTTP and DNS Data To Isolate Threat Actor PDF
No ratings yet
12.4.1.1 Lab - Interpret HTTP and DNS Data To Isolate Threat Actor PDF
17 pages
Master CyberOps Session 5
No ratings yet
Master CyberOps Session 5
80 pages
NSA 2023 Review CyberSecurity Report
No ratings yet
NSA 2023 Review CyberSecurity Report
36 pages
Introduction To Security Onion: Conference Paper
No ratings yet
Introduction To Security Onion: Conference Paper
5 pages
Nessus Lab V12nov07
No ratings yet
Nessus Lab V12nov07
6 pages
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
No ratings yet
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
6 pages
Lab Rats Inc.: Project Plan
No ratings yet
Lab Rats Inc.: Project Plan
139 pages
Mayur Kumar Jain - (Resume)
No ratings yet
Mayur Kumar Jain - (Resume)
3 pages
Ddos Handbook Online PDF
No ratings yet
Ddos Handbook Online PDF
37 pages
Installing and Configuring Pfsense
No ratings yet
Installing and Configuring Pfsense
43 pages
12 Questions To Ask A DDoS Mitigation Provider Technical Series Prolexic White Paper A4 082412
No ratings yet
12 Questions To Ask A DDoS Mitigation Provider Technical Series Prolexic White Paper A4 082412
8 pages
WAF Evasion Techniques
No ratings yet
WAF Evasion Techniques
9 pages
NICF - Linux System Administration (SF) : 20 Slides Supplement To The Trainer's PP File Form Linux Foundation
No ratings yet
NICF - Linux System Administration (SF) : 20 Slides Supplement To The Trainer's PP File Form Linux Foundation
22 pages
Securing Java Applications With XML Hardener
No ratings yet
Securing Java Applications With XML Hardener
26 pages
Graylog Optimizing SIEM Log MGMT Ebook
No ratings yet
Graylog Optimizing SIEM Log MGMT Ebook
12 pages
Module 152.5 - Lesson - Network Instrusion Detection and Prevention Systems
No ratings yet
Module 152.5 - Lesson - Network Instrusion Detection and Prevention Systems
26 pages
Ddos
No ratings yet
Ddos
30 pages
8 Steps To A DDoS Mitigation Plan - GD 1
No ratings yet
8 Steps To A DDoS Mitigation Plan - GD 1
2 pages
Kustodian SIEMonster High Level Design V1.8
No ratings yet
Kustodian SIEMonster High Level Design V1.8
28 pages
Owasp Docker
No ratings yet
Owasp Docker
25 pages
En CCNAS v11 Ch05
No ratings yet
En CCNAS v11 Ch05
102 pages
1.2. Lab Setup Virtualbox and Kali Linux v1
No ratings yet
1.2. Lab Setup Virtualbox and Kali Linux v1
11 pages
6.3.1.2 Packet Tracer Layer 2 Security
No ratings yet
6.3.1.2 Packet Tracer Layer 2 Security
4 pages
The Honeypot Project
No ratings yet
The Honeypot Project
43 pages
Lesson 4 Collecting and Querying Security
No ratings yet
Lesson 4 Collecting and Querying Security
37 pages
Case Study Groupon Aws Wazuh
No ratings yet
Case Study Groupon Aws Wazuh
2 pages
Day 2
No ratings yet
Day 2
37 pages
SOC Monitoring Mindmap
No ratings yet
SOC Monitoring Mindmap
1 page
Honeypot Technology
No ratings yet
Honeypot Technology
18 pages
Security Onion Cheat Sheet
No ratings yet
Security Onion Cheat Sheet
2 pages
Open SSL
No ratings yet
Open SSL
2 pages
Advanced Attack Detection Using OSSIM
No ratings yet
Advanced Attack Detection Using OSSIM
11 pages
LAB - Creating Rules
No ratings yet
LAB - Creating Rules
31 pages
Nexpose Enterprise Edition: Vulnerability Management To Combat Today's Threats
No ratings yet
Nexpose Enterprise Edition: Vulnerability Management To Combat Today's Threats
2 pages
© 2018 Caendra, Inc. - Hera For PTP - SNMP Analysis
No ratings yet
© 2018 Caendra, Inc. - Hera For PTP - SNMP Analysis
13 pages
LTS Secure Security Information and Event Management (Siem)
No ratings yet
LTS Secure Security Information and Event Management (Siem)
8 pages
DS ThreatEmulation Final
No ratings yet
DS ThreatEmulation Final
2 pages